mirror of
https://github.com/torvalds/linux
synced 2024-11-05 18:23:50 +00:00
ethtool: fix a potential missing-check bug
In ethtool_get_rxnfc(), the object "info" is firstly copied from user-space. If the FLOW_RSS flag is set in the member field flow_type of "info" (and cmd is ETHTOOL_GRXFH), info needs to be copied again from user-space because FLOW_RSS is newer and has new definition, as mentioned in the comment. However, given that the user data resides in user-space, a malicious user can race to change the data after the first copy. By doing so, the user can inject inconsistent data. For example, in the second copy, the FLOW_RSS flag could be cleared in the field flow_type of "info". In the following execution, "info" will be used in the function ops->get_rxnfc(). Such inconsistent data can potentially lead to unexpected information leakage since ops->get_rxnfc() will prepare various types of data according to flow_type, and the prepared data will be eventually copied to user-space. This inconsistent data may also cause undefined behaviors based on how ops->get_rxnfc() is implemented. This patch simply re-verifies the flow_type field of "info" after the second copy. If the value is not as expected, an error code will be returned. Signed-off-by: Wenwen Wang <wang6495@umn.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
26ff75857e
commit
d656fe49e3
1 changed files with 5 additions and 0 deletions
|
@ -1032,6 +1032,11 @@ static noinline_for_stack int ethtool_get_rxnfc(struct net_device *dev,
|
|||
info_size = sizeof(info);
|
||||
if (copy_from_user(&info, useraddr, info_size))
|
||||
return -EFAULT;
|
||||
/* Since malicious users may modify the original data,
|
||||
* we need to check whether FLOW_RSS is still requested.
|
||||
*/
|
||||
if (!(info.flow_type & FLOW_RSS))
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (info.cmd == ETHTOOL_GRXCLSRLALL) {
|
||||
|
|
Loading…
Reference in a new issue